Question & Answer
Question
Can I set up journal forwarding from Microsoft Exchange Online in a way that IBM Content Collector can archive the journal reports for compliance, and what must I watch out for?
Answer
Microsoft Exchange Online supports configuring journal rules to forward journal reports for messages delivered to or sent from a Microsoft Exchange Online domain to an external mailbox (for details, see http://technet.microsoft.com/en-us/library/jj898487%28v=exchg.150%29.aspx). Using this mechanism, the IBM Content Collector SMTP Receiver can be configured to receive these journal reports and archive them for compliance.
However, some restrictions apply on both ends that should be observed when configuring such a setup.
Microsoft Exchange Online
As journal reports might contain sensitive information, you are generally advised to forward these reports in a secure way only. By default, Microsoft Exchange Online is configured to use opportunistic TLS, which means that it attempts to send journal reports via a TLS/SSL connection. If this does not succeed, it sends the reports unencrypted using the standard SMTP protocol. By specifying a so-called outbound connector, the connection can be configured to force TLS, which essentially means that only TLS encrypted messages are transmitted while an unencrypted connection is refused. For details about this mechanism, see http://technet.microsoft.com/en-us/library/jj723154%28v=exchg.150%29.aspx.
However, for both of the above configuration options, Microsoft Exchange Online relies on the receiving server supporting StartTLS. It always connects to the remote mail server over TCP port 25, which is the default port for unencrypted SMTP (whereas TLS defaults to port 465).
The IBM Content Collector SMTP receiver supports StartTLS starting with version 4.0. For earlier versions of IBM Content Collector, SMTP forwarding from Microsoft Exchange Online works only in unencrypted standard SMTP mode.
IBM Content Collector SMTP Receiver
Configuring a journal rule in the Microsoft Exchange Admin Center only allows you to specify a mailbox by its recipient name. It does not allow you to provide a user name and password to authenticate at the recipient's mail server. For the configuration of the IBM Content Collector SMTP Receiver, this means that SMTP authentication must be turned off, although in general only authenticated communication should be used. This imposes a potential risk: by opening the default SMTP port without any authentication, any sender who is aware of the IBM Content Collector SMTP Receiver's internet IP address could send email, which would be archived by IBM Content Collector like any regular email.
To prevent this situation, you should take precautions on the server that hosts the IBM Content Collector SMTP Receiver. One possibility could be to configure your firewall to allow only connections from the IP addresses that provide the journal reports from your Microsoft Exchange Online domain (for example *.outbound.protection.outlook.com). However, this is possible only if the firewall allows to specify rules based on domains rather than specific IP addresses.
Related Information
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
swg21648828